Hidden Security Threats of Kiosks: Online Only

Call credit union kiosks the equipment of the moment: vendors and analysts seem buoyant about the market opportunity as financial institutions continue to cut staff to better control expenses and, at the same time, iPads and Kindle Fires and still other tablets have trained a nation in how to use interactive screens.

Install lobby kiosks and, suddenly, members can easily check account balances and apply for loans. Would-be employees can apply for jobs. And just about anybody can get answers to common questions such as where branches are and what hours the credit union is open.

What’s not to like about that low-cost information delivery?

Well, there a dark side that just is not well understood by credit union executives, say many experts. But it is increasingly understood by cyber crooks.

The problems are two-fold: kiosks usually are networked computers that are tied into the institution’s systems and, in many cases, the kiosks are comparatively unprotected, say the experts.

“Kiosks have great appeal – organizations are doing more and more with them But what is the extent that security has a place at the design table?“ asked Alan Brill, senior managing director for cyber security at Kroll Inc. He added, “We have found that there is a tendency to get kiosks deployed – and then we will come back and get it secure.”

There already has been significant security breaches associated with kiosks. None are known to involve credit unions. But the breaches show the potential damage.

At UMass Memorial Healthcare in Massachusetts, for instance, 10 payroll kiosks made available to employees were easily coaxed into revealing pay stub data about other employees. It was not disclosed how many employees were impacted, but the breach was believed to have been in the system for five months before security learned of it and took the kiosks out of use.

At retailer TJX, meantime, perhaps the most infamous kiosk-related security breach occurred when hackers used in-store employment kiosks (where job hunters apply for positions) as a gateway into the company’s IT systems. That led to pilfering information involving millions of credit cards.

Next stop, say some experts, may be financial institution kiosks. Said Claire Shufflebotham, a security expert with NCR: “Fraudsters migrate to the weakest link – right now they are busy compromising ATMs. But I think kiosks will become the weak link.”

A frightening reality, said Jack Koziol, a director at InfoSec Institute, is that many, many kiosks remain vulnerable to attack via built-in USB ports, the route that undid the TJX kiosks. But it could be much uglier still at a financial institution. “With a USB switchblade” - a simple plug in device well understood by cyber crooks that lets them run unauthorized software – “hackers could get access to user passwords and login credentials,” said Koziol.

That is just the start of the troubles, however.

“Inside the vast majority of kiosks is a Windows device that has all the Windows vulnerabilities,” said Jeff McNaught, an executive with cloud computing expert Wyse. That indeed is the problem with many kiosks, said the experts.

Many are simply Windows computers (occasionally Apple iPads) that have been lightly repurposed with a software front end that is intended to limit the functionality on the device - but every hacker knows ways to thwart those limits.

That does not mean it is time to unplug kiosks. What it does mean is that steps have to be taken to toughen kiosks against crooks, said John Viega, an executive at Perimeter E-Security. He ticked off two must-do’s: step one is building in a white list of permitted websites – and denying access to any site not on the list.

Step two: put limitations on what applications can run on the device (if an app is not listed, it won’t run – and that would prevent hacker tools such as key loggers from infecting the device), said Viega.

Step three, said Brill, is fully understanding how any kiosks interface with the institution’s network – and “taking steps to defend the network.”

Step four is acknowledging that kiosks are fast vaulting up the list of temptations for cyber crooks and that means that security needs to be built in from the start. Do that, said Brill, and institutions just may continue to get the benefits they want from kiosks while also containing the risks.